Fix buffer overruns:

  - packet-afs.c: dissect_acl() didn't restrict the size of a string read
    with sscanf().  An exploit has been released.

  - packet-nbns.c: When passed an illegal name, get_nbns_name() would
    overrun nbname with an error message.  This isn't exploitable AFAIK,
    but it could result in a crash.

  - packet-ntp.c: dissect_ntp() wasn't checking the length of the
    reference clock's host name.  This is most likely exploitable.
    This fix simply lops off the end of the host name if it's too long.
    We should probably add an ellipsis (...) as we have done in other
    places in the code.

svn path=/trunk/; revision=2671

3 files changed, 11 insertions, 8 deletions

diff --git a/packet-afs.c b/packet-afs.c
index 2485d30aba..69d2c261c9 100644
--- a/packet-afs.c
+++ b/packet-afs.c
@@ -8,7 +8,7 @@
  * Portions based on information/specs retrieved from the OpenAFS sources at
  *   www.openafs.org, Copyright IBM. 
  *
- * $Id: packet-afs.c,v 1.23 2000/11/19 08:53:54 guy Exp $
+ * $Id: packet-afs.c,v 1.24 2000/11/19 16:58:57 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -442,7 +442,7 @@ static void dissect_acl(const u_char *pd, int offset, frame_data *fd, proto_tree
 	int n, i, bytes;
 	u_char const *s;
 	u_char const *end;
-	char user[128];
+	char user[128]; /* Be sure to adjust sscanf()s below if length is changed... */
 	int curoffset;
 	int soff,eoff;
 
@@ -480,7 +480,7 @@ static void dissect_acl(const u_char *pd, int offset, frame_data *fd, proto_tree
 	 */
 
 	for (i = 0; i < pos; i++) {
-		if (sscanf((char *) s, "%s %d %n", user, &acl, &n) != 2)
+		if (sscanf((char *) s, "%127s %d %n", user, &acl, &n) != 2)
 			return;
 		s += n;
 		ACLOUT(user,1,acl,n);
@@ -489,7 +489,7 @@ static void dissect_acl(const u_char *pd, int offset, frame_data *fd, proto_tree
 	}
 
 	for (i = 0; i < neg; i++) {
-		if (sscanf((char *) s, "%s %d %n", user, &acl, &n) != 2)
+		if (sscanf((char *) s, "%127s %d %n", user, &acl, &n) != 2)
 			return;
 		s += n;
 		ACLOUT(user,0,acl,n);
diff --git a/packet-nbns.c b/packet-nbns.c
index 30c3f414bf..2bd7aa04bb 100644
--- a/packet-nbns.c
+++ b/packet-nbns.c
@@ -4,7 +4,7 @@
  * Gilbert Ramirez <gram@xiexie.org>
  * Much stuff added by Guy Harris <guy@alum.mit.edu>
  *
- * $Id: packet-nbns.c,v 1.47 2000/11/19 08:54:00 guy Exp $
+ * $Id: packet-nbns.c,v 1.48 2000/11/19 16:58:57 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -194,13 +194,15 @@ nbns_type_name (int type)
 	return "unknown";
 }
 
+#define NBNAME_BUF_LEN 128
+
 static int
 get_nbns_name(const u_char *pd, int offset, int nbns_data_offset,
     char *name_ret, int *name_type_ret)
 {
 	int name_len;
 	char name[MAXDNAME];
-	char nbname[NETBIOS_NAME_LEN];
+	char nbname[NBNAME_BUF_LEN];
 	char *pname, *pnbname, cname, cnbname;
 	int name_type;
 
diff --git a/packet-ntp.c b/packet-ntp.c
index 7291e8b484..d8eabd551e 100644
--- a/packet-ntp.c
+++ b/packet-ntp.c
@@ -2,7 +2,7 @@
  * Routines for NTP packet dissection
  * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
  *
- * $Id: packet-ntp.c,v 1.18 2000/11/19 08:54:00 guy Exp $
+ * $Id: packet-ntp.c,v 1.19 2000/11/19 16:58:57 gerald Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@zing.org>
@@ -334,9 +334,10 @@ dissect_ntp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
 				}
 			}
 		} else
-			strcpy (buff, get_hostname (pntohl(pkt->refid)));
+			strncpy (buff, get_hostname (pntohl(pkt->refid)), sizeof buff - 1);
 		proto_tree_add_bytes_format(ntp_tree, hf_ntp_refid, NullTVB, offset+12, 4, pkt->refid,
 					   "Reference Clock ID: %s", buff);
+			buff[sizeof buff - 1] = '\0';
 		/* Reference Timestamp: This is the time at which the local clock was
 		 * last set or corrected.
 		 */